password_verify使用password_hash错误在登录时将用户存储在会话中
[英]password_verify using password_hash error to store user in session at login
问题描述
I'm having a issue with password_hash, when i login i want to bring the user logged in Session, but do not work when i use password verify, the ECHO return nothing. 
我在使用password_hash时遇到问题,当我登录时,我想让用户登录Session,但是当我使用密码验证时,它不起作用,ECHO不返回任何内容。 How i can solve this? 我该如何解决? Thanks This is my code: 谢谢这是我的代码:
<?php
session_start();
include_once("../Backend/conexao_db.php");
if((isset($_POST['txt_usuario'])) && (isset($_POST['txt_senha']))) {
$usuario = mysqli_real_escape_string($conn, $_POST['txt_usuario']);
$pass = mysqli_real_escape_string($conn, $_POST['txt_senha']);
$passwordhash = password_hash($pass, PASSWORD_DEFAULT);
$result_usuario = "SELECT * FROM tbl_Usuario WHERE email = '$usuario' && senha = '$pass'";
$resultado_usuario = mysqli_query($conn, $result_usuario);
if ($resultado = mysqli_fetch_assoc($resultado_usuario)) {
if (password_verify($pass, $passwordhash)) {
$_SESSION['usuarioId'] = $resultado['id'];
if ($_SESSION['empresaID'] == "") {
echo $_SESSION['usuarioId'];
} else {
}
}
}
}
This code work perfectly when i not use password_verify. 当我不使用password_verify时,此代码可以正常工作。
1 个解决方案
解决方案1
1 已采纳 2017-11-16 05:50:11
What your'e doing there is useless, because you're testing the password hash you just created for matching with itself. 您在这里所做的事情没有用,因为您正在测试刚创建的用于与自身匹配的密码哈希。 This would always be true. 这将永远是正确的。
Without knowing your Session-Variables I would guess that if ($_SESSION['empresaID'] == "") is causing your error, unless you set it elsewhere. 在不知道您的会话变量的情况下,我会猜测, if ($_SESSION['empresaID'] == "")引起了您的错误,除非您在其他位置进行设置。
But to improve your code: 但是要改善您的代码:
You should store the hash in the database and test the result for a match with the inputted password. 您应该将哈希存储在数据库中,并测试结果是否与输入的密码匹配。 Goal of this procedure is that you don't have to store the password in plaintext in your database. 此过程的目标是您不必在数据库中以明文形式存储密码。
Also, please use prepared statements to prevent SQL-injection. 另外,请使用准备好的语句来防止SQL注入。 In my example I used PDO . 在我的示例中,我使用了PDO 。
With prepared statements you can avoid mysqli_real_escape_string - it would change the password if there are any special characters in it. 使用准备好的语句,您可以避免mysqli_real_escape_string如果其中包含任何特殊字符,它将更改密码。
if((!empty($_POST['txt_usuario'])) && (!empty($_POST['txt_senha']))) {
$usuario = $_POST['txt_usuario'];
$pass = $_POST['txt_senha'];
// returns a connection to pdo
$conn = Database::connectPDO();
$stmt = $conn->prepare('SELECT * FROM tbl_Usuario WHERE email = :email');
$stmt->bindParam(':email', $usuario);
if($stmt->execute()) {
while($user = $stmt->fetch(PDO::FETCH_ASSOC)) {
if(password_verify($pass, $user['senha'])) {
echo 'success';
}
}
}
}
So, if you're adding an user, you should store the password hashed in the database for this function to work: 因此,如果要添加用户,则应将散列的密码存储在数据库中,此功能才能起作用:
if((!empty($_POST['txt_usuario'])) && (!empty($_POST['txt_senha']))) {
$usuario = $_POST['txt_usuario'];
$pass = $_POST['txt_senha'];
$hashedPassword = password_hash($pass, PASSWORD_DEFAULT);
$conn = Database::connectPDO();
$stmt = $conn->prepare('INSERT INTO tbl_Usuario (email, senha) VALUES (:email, : senha)');
$stmt->bindParam(':email', $usuario);
$stmt->bindParam(':senha', $hashedPassword);
if($stmt->execute()) {
echo 'successfully registered';
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.